Zero-Day Flaw in Apache OFBiz open-source ERP allows Remote Code Execution (CVE-2024-38856)

Published On: Aug 16, 2024 18:59

Advisory No: TZCERT-SA-24-0015

Source: Apache OFBiz

Software Affected: Apache OFBiz

Overview

Apache OFBiz is vulnerable to a zero-day remote code execution vulnerability. Successful exploitation of the vulnerability may allow attackers to take control of the affected device.

Description

Apache OFBiz open-source enterprise resource planning (ERP) is affected by a critical vulnerability tracked as CVE-2024-38856 with a CVSS score of 9.8. The flaw results from improper limitation of a pathname to a restricted directory ('Path Traversal') leading to failure of the authentication mechanism. Leveraging the vulnerability allows the attacker to achieve remote code execution via specially crafted requests.

Impact

Successful exploitation of this vulnerability may allow an attacker to take control of the affected device.

Solution

Apache has released a patch for this vulnerability. Users and administrators are encouraged to apply necessary updates.

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Report Incident